[rubygem-activerecord/f17] Fix for CVE-2012-2661.
Vít Ondruch
vondruch at fedoraproject.org
Mon Jun 4 16:32:07 UTC 2012
commit 346541dcc1e3a714833793d8852ebfb9cca8c062
Author: Vít Ondruch <vondruch at redhat.com>
Date: Mon Jun 4 18:31:56 2012 +0200
Fix for CVE-2012-2661.
...uilder-should-not-recurse-for-determining.patch | 66 ++++++++++++++++++++
rubygem-activerecord.spec | 17 +++++-
2 files changed, 82 insertions(+), 1 deletions(-)
---
diff --git a/activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch b/activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
new file mode 100644
index 0000000..c1076e0
--- /dev/null
+++ b/activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
@@ -0,0 +1,66 @@
+From 99f030934eb8341db333cb6783d0f42bfa57358f Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Wed, 30 May 2012 15:06:12 -0700
+Subject: [PATCH] predicate builder should not recurse for determining where
+ columns. Thanks to Ben Murphy for reporting this
+
+CVE-2012-2661
+---
+ .../lib/active_record/relation/predicate_builder.rb | 6 +++---
+ activerecord/test/cases/relation/where_test.rb | 19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+ create mode 100644 activerecord/test/cases/relation/where_test.rb
+
+diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
+index 505c3f4..84e88cf 100644
+--- a/activerecord/lib/active_record/relation/predicate_builder.rb
++++ b/activerecord/lib/active_record/relation/predicate_builder.rb
+@@ -5,17 +5,17 @@ module ActiveRecord
+ @engine = engine
+ end
+
+- def build_from_hash(attributes, default_table)
++ def build_from_hash(attributes, default_table, check_column = true)
+ predicates = attributes.map do |column, value|
+ table = default_table
+
+ if value.is_a?(Hash)
+ table = Arel::Table.new(column, :engine => @engine)
+- build_from_hash(value, table)
++ build_from_hash(value, table, false)
+ else
+ column = column.to_s
+
+- if column.include?('.')
++ if check_column && column.include?('.')
+ table_name, column = column.split('.', 2)
+ table = Arel::Table.new(table_name, :engine => @engine)
+ end
+diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
+new file mode 100644
+index 0000000..90c690e
+--- /dev/null
++++ b/activerecord/test/cases/relation/where_test.rb
+@@ -0,0 +1,19 @@
++require "cases/helper"
++require 'models/post'
++
++module ActiveRecord
++ class WhereTest < ActiveRecord::TestCase
++ fixtures :posts
++
++ def test_where_error
++ assert_raises(ActiveRecord::StatementInvalid) do
++ Post.where(:id => { 'posts.author_id' => 10 }).first
++ end
++ end
++
++ def test_where_with_table_name
++ post = Post.first
++ assert_equal post, Post.where(:posts => { 'id' => post.id }).first
++ end
++ end
++end
+--
+1.7.10.2
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index 96fbc08..8e75344 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -7,7 +7,7 @@ Summary: Implements the ActiveRecord pattern for ORM
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.0.11
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -34,6 +34,10 @@ Patch1: activerecord-tests-fix.patch
Patch2: activerecord-downgrade-dependencies.patch
+# Fixes CVE-2012-2661
+# https://bugzilla.redhat.com/show_bug.cgi?id=827363
+Patch3: activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
+
Requires: ruby(abi) = %{rubyabi}
Requires: ruby(rubygems)
Requires: rubygem(activesupport) = %{version}
@@ -80,6 +84,7 @@ tar xzvf %{SOURCE2} -C .%{gem_instdir}
pushd ./%{gem_instdir}
%patch0 -p0
%patch1 -p0
+%patch3 -p2
popd
pushd .%{gem_dir}
@@ -120,6 +125,13 @@ rm -rf %{buildroot}
%check
pushd .%{gem_instdir}
+# Test fails with newer mocha. Keep with older one is not solution.
+# https://github.com/rails/rails/pull/6046
+# https://github.com/rails/rails/commit/2aa7c6d065802cd230a812b8331ee293e4aae0e8
+sed -i '590,595 s|^|#|' test/cases/autosave_association_test.rb
+sed -i '635,640 s|^|#|' test/cases/autosave_association_test.rb
+sed -i '700,708 s|^|#|' test/cases/autosave_association_test.rb
+
# to prevent a circular dependency w/ actionpack
mv test/cases/session_store/session_test.rb \
test/cases/session_store/session_test.rb.norun
@@ -143,6 +155,9 @@ popd
%{gem_spec}
%changelog
+* Mon Jun 04 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-2
+- Fix for CVE-2012-2661.
+
* Tue Jan 31 2012 Bohuslav Kabrda <bkabrda at redhat.com> - 1:3.0.11-1
- Rebuilt for Ruby 1.9.3.
- Update to ActionPack 3.0.11
More information about the scm-commits
mailing list